Enumeration

Tools

ADModule: https://github.com/samratashok/ADModule (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL)

Domain

Get Domain

PowerView
ADModule
1
Get-NetDomain
2
Get-NetDomain -Domain domain.local
Copied!
1
Get-ADDomain
2
Get-ADDomain -Identity domain.local
Copied!

Get Domain SID

PowerView
ADModule
1
Get-DomainSID
2
Get-DomainSID -Domain domain.local
Copied!
1
(Get-ADDomain).DomainSID
2
(Get-ADDomain -Identity domain.local).DomainSID
Copied!

Get Domain Policy

PowerView
1
Get-DomainPolicy
2
(Get-DomainPolicy)."system access"
3
(Get-DomainPolicy –domain moneycorp.local)."system access"
Copied!

Get DCs

PowerView
ADModule
1
Get-NetDomainController
2
Get-NetDomainController –Domain moneycorp.local
Copied!
1
Get-ADDomainController
2
​
3
Get-ADDomainController -DomainName moneycorp.local -Discover
Copied!

Users

Get a list of users in the current domain

PowerView
ADModule
1
Get-NetUser
2
Get-NetUser –Username student1
Copied!
1
Get-ADUser -Filter * -Properties *
2
Get-ADUser -Identity student1 -Properties *
Copied!

Get a list of all properties for users within domain

PowerView
ADModule
1
# Lists all properties available
2
Get-UserProperty
3
​
4
# Gets the value of a property for all users in domain
5
Get-UserProperty –Properties pwdlastset
Copied!
1
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member MemberType *Property | select Name
2
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
Copied!

Search for particular string in users attribute

PowerView
ADModule
1
Find-UserField -SearchField Description -SearchTerm "built"
Copied!
1
Get-ADUser -Filter 'Description -like "*built*"' Properties Description | select name,Description
Copied!

Groups

Get all groups in current domain

PowerView
ADModule
1
Get-NetGroup
2
Get-NetGroup –Domain <targetdomain>
3
Get-NetGroup –FullData
Copied!
1
Get-ADGroup -Filter * | select Name
2
Get-ADGroup -Filter * -Properties *
Copied!

Get all groups containing admin in current domain

PowerView
ADModule
1
Get-NetGroup *admin*
Copied!
1
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Copied!

Get members of domain admin group

PowerView
ADModule
1
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Copied!
1
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Copied!

Get the group membership for a user

PowerView
ADModule
1
Get-NetGroup –UserName "student1"
Copied!
1
Get-ADPrincipalGroupMembership -Identity student1
Copied!

Computers / Sessions

Get a list of computers in current domain

PowerView
ADModule
1
Get-NetComputer
2
Get-NetComputer –OperatingSystem "*Server 2016*"
3
Get-NetComputer -Ping
4
Get-NetComputer -FullData
Copied!
1
Get-ADComputer -Filter * | select Name
2
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' Properties OperatingSystem | select Name,OperatingSystem
3
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}
4
Get-ADComputer -Filter * -Properties
Copied!

List all local groups on a machine (needs admin privs to query non-dc machines)

PowerView
1
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups
Copied!

List members of local groups on a machine (needs admin privs on non-dc machines)

PowerView
1
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse
Copied!

Get actively logged on users on target (needs admin rights on target)

PowerView
1
Get-NetLoggedon –ComputerName <servername>
Copied!

Get locally logged on users on target (needs remote registry enabled (started by default on servers))

PowerView
1
Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local
Copied!

Get the last logged on user on target (needs admin rights and remote registry enabled)

PowerView
1
Get-LastLoggedOn –ComputerName <servername>
Copied!

Files

Find shares on hosts in current domain

PowerView
1
Invoke-ShareFinder –Verbose
Copied!

Find sensitive files on computers within domain

PowerView
1
Invoke-FileFinder –Verbose
Copied!

Get all file servers of domain

PowerView
1
Get-NetFileServer
Copied!

GPO / OU

Get list of GPO in current domain

PowerView
ADModule
1
Get-NetGPO
2
Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local
Copied!
1
Get-GPO -All (GroupPolicy module)
2
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html (Provides RSoP)
Copied!

Get GPO which use restricted groups or groups.xml for interesting users

PowerView
1
Get-NetGPOGroup
Copied!

Get users which are in a local group of a machine using GPO

PowerView
1
Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local
Copied!

Find machines where given user is a member of a specific group

PowerView
1
Find-GPOLocation -UserName student1 -Verbose
Copied!

Get OUs in a Domain

PowerView
ADModule
1
Get-NetOU -FullData
Copied!
1
Get-ADOrganizationalUnit -Filter * -Properties *
Copied!

Get GPO applied on an OU

PowerView
ADModule
1
Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"
Copied!
1
Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081 (GroupPolicy module)
Copied!

ACLs

Get ACLs associated with a specific object

PowerView
ADModule
1
Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs
Copied!
1
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp ,DC=local').Access
Copied!
PowerView
1
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
Copied!
PowerView
1
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Copied!

Search for interesting ACEs

PowerView
1
Invoke-ACLScanner -ResolveGUIDs
Copied!

Get the ACLs associated with the specified path

PowerView
1
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Copied!

Trusts

Domain Trust Mapping

PowerView
ADModule
1
Get-NetDomainTrust
2
Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local
Copied!
1
Get-ADTrust Get-ADTrust –Identity us.dollarcorp.moneycorp.local
Copied!

Forest Mapping

PowerView
ADModule
1
Get-NetForest
2
Get-NetForest –Forest eurocorp.local
Copied!
1
Get-ADForest
2
Get-ADForest –Identity eurocorp.local
Copied!

Get all domains in current forest

PowerView
ADModule
1
Get-NetForestDomain
2
Get-NetForestDomain –Forest eurocorp.local
Copied!
1
(Get-ADForest).Domains
Copied!

Get all global catalogues for the current forest

PowerView
ADModule
1
Get-NetForestCatalog
2
Get-NetForestCatalog –Forest eurocorp.local
Copied!
1
Get-ADForest | select -ExpandProperty GlobalCatalogs
Copied!

Map trusts of a forest

PowerView
ADModule
1
Get-NetForestTrust
2
Get-NetForestTrust –Forest eurocorp.local
Copied!
1
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Copied!

Scripts

Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!)

PowerView
1
Find-LocalAdminAccess –Verbose
2
​
3
Alternative: Find-WMILocalAdminAccess.ps1
Copied!

Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.)

PowerView
1
Invoke-EnumerateLocalAdmin –Verbose
Copied!

Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine).

PowerView
1
Invoke-UserHunter
2
Invoke-UserHunter -GroupName "RDPUsers"
Copied!

Confirm admin access

PowerView
1
Invoke-UserHunter -CheckAccess
Copied!

Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.)

PowerView
1
Invoke-UserHunter -Stealth
Copied!

PrivEsc

Unconstrained Delegation

PowerView
ADModule
1
Get-NetComputer -UnConstrained
2
Get-DomainUser -AllowDelegation -AdminCount
Copied!
1
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
2
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Copied!

Constrained Delegation

PowerView
ADModule
1
Get-DomainUser –TrustedToAuth
2
Get-DomainComputer –TrustedToAuth
Copied!
1
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Copied!

ASREP Roasting

PowerView
ADModule
1
Get-DomainUser -PreauthNotRequired -Verbose
Copied!
1
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} Properties DoesNotRequirePreAuth
Copied!

Clear Passwords

PowerView
1
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
Copied!
Last modified 1yr ago